CVE-2025-67916

Vulnerability

Overview

CVE-2025-67916 is a reflected Cross-Site Scripting (XSS) vulnerability in the Jobify WordPress theme, affecting versions from n/a through 4.3.0. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary web scripts into a web page that will be executed in the victim's browser [1].

Exploitation

This reflected XSS requires user interaction, such as clicking a crafted link or submitting a malicious form. The attacker does not need elevated privileges to initiate the attack, but successful exploitation depends on a privileged user (e.g., an administrator) performing the action [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit in mass-exploit campaigns targeting thousands of websites regardless of size or traffic [1].

Impact

A successful attack allows the attacker to inject arbitrary HTML and JavaScript payloads, including redirects, advertisements, or other malicious scripts. These payloads execute when visitors access the affected site, potentially leading to session hijacking, defacement, or further compromise [1].

Mitigation

The vulnerability has been patched in version 4.3.1 of the Jobify theme. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update can be applied [1].